0672317419 BonusCH 1/30/01 12:58 PM Page 1 Bonus Internet Security and CHAPTER Acceleration Server IN THIS CHAPTER • ISA Server Capabilities 3 • Managing ISA Server 43 • Configuring ISAServer Clients 116 • Safe and (More) Secure 125 0672317419 BonusCH 1/30/01 12:58 PM Page 2 BONUSCHAPTER 2 You probably already realize that connecting your organization’s network to the Internet with- out a firewall is like driving with bad brakes—something disastrous is bound to happen eventu- ally. Read my book Drew Heywood’s Windows 2000 Network Servicesif you need convincing. RRAS includes a network address translating firewall. NAT is an effective firewall technique, but there are some desirable capabilities that NAT lacks. Here are a few NAT improvements that could be suggested: • NAT uses one security policy that applies to all users communicating through the fire- wall. It would be very useful to be able to apply different policies to different users or groups. • NAT has no method of authenticating users. If we want to securely control access to resources,however,an authentication mechanism is required. • NAT cannot limit access to specific Internet resources. Users can obtain stock quotes and dirty pictures just as easily as they can get technical information on Microsoft.com. Unless recreational browsing is in our company business plans,we would like some con- trol over the Internet resources users can access. • NAT doesn’t raise any red flags when intruders try to vaporize your network. We would like to know when an unwanted guest is knocking on the door. Enter the Microsoft Internet Security and Acceleration Server (ISA Server),which supplements the limited firewall capabilities of RRAS in a variety of ways. (In case you’re suffering from acronym overload,and who isn’t at this point,don’t confuse ISA with IAS,the Internet Authentication Server discussed in Chapter 8 of the book.) ISA’s firewall component controls outgoing network traffic using policies that specify site,content,and protocol restrictions. Policies can be applied depending on the characteristics of network traffic or on the identities of users and their group memberships. Services on local computers can be made available to the outside without compromising security. As its full name suggests,security isn’t ISA’s only capability,but how does ISA “accelerate” Internet access? Apart from blowing the budget on ever-faster Internet connections and Web servers,caching is the most powerful tool available for improving data access performance. ISA also includes a caching component of ISA that can speed access to commonly used Web objects by retaining local copies. Often-used Web objects can be retrieved locally,improving responsiveness while promoting efficient use of WAN bandwidth. The result is a more efficient Web access environment that is less easily overloaded as demand increases. NOTE As I am writing, ISA is in pre-release testing. This chapter was prepared using ISA Release Candidate 1. 0672317419 BonusCH 1/30/01 12:58 PM Page 3 Internet Security and Acceleration Server 3 ISA Server Capabilities ISA is much more complex than its predecessor (Proxy Server 2.0) and includes two major functions: • Enabling internal users to access external services under administrative control that can be tailored to the needs of the organization. • Blocking external access to internal computers while,if desired,enabling external clients to access select internal servers and services. As an ISA Server administrator,you can allow or block any or all types of outbound and inbound packets,making the firewall as permeable as you require. To reduce the likelihood of inadvertent security leaks,ISA Server blocks all types of traffic that you do not explicitly allow. You must explicitly allow ISA Server to forward packets with specific characteristics. ISA Server supports Windows and non-Windows clients,although different capabilities are available. For example,Windows clients can be authenticated using Windows-integrated authentication and can use a Windows-specific firewall. But UNIX,Linux,Macintosh,and other clients can still communicate through ISA Server. Access for non-Windows clients can even be identified using plain text or certificate-based authentication. To prepare ourselves for ISA Server administration,we will first examine the components and characteristics of ISA Server. Client Types ISA Server provides firewall services for three types of clients: • Web Proxy clientsare applications such as Web browsers that support the CERN proxy protocol. • Windows firewall clientsare Windows clients running Windows Firewall Client software, enabling ISA to authenticate clients using Windows-integrated authentication and to con- trol access using policies. • SecureNAT clientsare non-Windows computers or Windows computers not running the Windows Firewall Client. SecureNAT improves on the native Windows 2000 NAT with improved access filtering. We examined the Windows 2000 NAT in Chapter 7,“Routing with Routing and Remote Access Service.” Each of these client types is supported by a matching service on the ISA server. The relation- ships among ISA clients and services are illustrated in Figure 1. 0672317419 BonusCH 1/30/01 12:58 PM Page 4 BONUSCHAPTER 4 Web Proxy Service Web Proxy Web Servers Client Web-Based Service Requests SecureNAT Service SecureNAT Client Firewall Service Servers Firewall Client Internal (Private) External (Public) Network ISA Server Network FIGURE 1 ISA supports Web Proxy,firewall,and SecureNAT clients with corresponding services. • Web Proxy clients(usually Web browsers) are configured to direct all requests for outside Web resources to the Web Proxy service. The chief contribution of the Web Proxy ser- vice is the implementation of a cache that stores recently retrieved and frequently retrieved Web objects locally so that they can be served to clients without requesting them through the WAN. Any client software that supports the CERN proxy protocol can be a Web Proxy client,including non-Windows computers running a suitable Web browser. • Windows firewall clientsdirect all requests for outside resources to the firewall service. Redirection is performed by a modified version of WinSock that determines whether ser- vice requests should be sent to internal servers or to ISA Server,which controls access to outside services. The firewall service can authenticate clients and use policies to deter- mine whether the request is allowed. Requests for Web resources are redirected to the Web Proxy service. Thus all Windows firewall clients indirectly are Web Proxy clients. (Web Proxy redirection can be disabled.) 0672317419 BonusCH 1/30/01 12:58 PM Page 5 Internet Security and Acceleration Server 5 • SecureNAT clientsare configured to use ISA simply by specifying the ISA server as the client’s default router used to access outside resources. The SecureNAT service maps clients’internal IP addresses and ports to public addresses and ports,editing datagrams as necessary using the NAT component of RRAS. SecureNAT is a Windows firewall client,and edited datagrams are directed to the Windows firewall service,which applies its own access filters and directs requests to the WAN or to the Web Proxy service as appropriate. A client cannot be both a firewall client and a SecureNAT client. Windows computers running the Windows Firewall Client software function as firewall clients. Windows computers not run- ning Windows Firewall Client software—as well as UNIX,Linux,Macintosh,and other com- puters—function as SecureNAT clients. However,both Windows firewall clients and SecureNAT clients can also be Web Proxy clients. In fact,with the default configuration of ISA Server,Windows firewall service is a Web Proxy client that directs requests for Web resources to the Web Proxy service. NOTE Before sending a service request, firewall Web Proxy clients must be able to deter- mine whether the target server is internal or external so that they can decide whether to address the packets to a local server or to ISA Server. SecureNAT clients make this determination using their routing tables. Firewall and Web Proxy clients use a different mechanism. Firewall clients make the local–remote determination by consulting a Local Address Table (LAT) that lists all IP address ranges that are to be regarded as internal. If a fire- wall client needs to direct a request to an IP address that isn’t included in the LAT, the request must be sent to the ISA server. The LAT is maintained on ISA Server and is downloaded periodically to the client. ISA Server also supports a Local Domain Table (LDT) that serves a function similar to the LAT, listing domain names that are used on the local network. Web Proxy clients make use of a local address table also, but don’t use the LAT or LDT tables that are defined for the firewall service. Separate local address tables are con- figured in the ISA Server administration console or on individual Web Proxy clients. The Web Proxy Service In human terms,a proxy is “a person authorized to act as a substitute.”The Web Proxy server acts as a substitute for one or many network clients,letting them communicate with servers on another network without actually being openly connected to the remote network. It’s a sleight- of-hand trick that provides firewall protection and some other benefits as well. 0672317419 BonusCH 1/30/01 12:58 PM Page 6 BONUSCHAPTER 6 In part,a proxy server is a heavy-duty translator that acts as an intermediary between your net- work clients and the Internet. Look at Figure 2. Superficially,the proxy server looks like a router,but it isn’t. A router forwards packets more or less intact from one network to another, extending the reach of the computer that originated the packet. A router has a tough,busy life, but it is mostly one of receiving packets and forwarding them to the correct network. http://www.pseudo-corp.com http://www.pseudo-corp.com From: 10.1.0.25 From: 189.14.203.5 To: 10.1.0.5 To: 209.51.67.3 Web Proxy 10.1.0.5 189.14.203.5 Service Web Proxy Client 209.51.67.3 10.1.0.25 response response www.pseudo-corp.com From: 10.1.0.5 From: 209.51.67.3 To: 10.1.0.25 To: 189.14.203.5 FIGURE 2 Operation of a proxy server. But nothing is simply passed through a proxy server. In Figure 2,the client can’t actually com- municate with the Internet. It communicates with the proxy server and thinks the proxy server is the Internet. Similarly,servers on the Internet can’t communicate with the clients on the pri- vate network. Instead,servers communicate with the proxy server and think the proxy server is the client. In between,the proxy server copies,translates,and forwards as required to facilitate communication. As such,the proxy server functions as a firewall between the private and pub- lic networks,permitting packets to enter the private network only if they are generated in response to requests from local clients. A Web Proxy client is configured to direct requests for external Web services to a Web Proxy server. By default,the Web Proxy server accepts requests for HTTP,HTTPS,FTP,and Gopher objects on port 8080. Upon receiving a Web service request from a Web Proxy client,the Web Proxy server generates a new request that is sent to the Web server specified by the client. These requests are sent to the port assigned to the Web server service,for example,port 80 for HTTP. It is important to realize how the behavior in Figure 2 differs from behavior if a router func- tioned in place of the Web Proxy service. If the middle box functioned as a router,the address- ing shown for the service requests and service replies would be different. The client would resolve www.pseudo-corp.com to 209.51.67.3,and the service request would be addressed from 10.1.0.25 to 209.51.67.3. Recall that a router does not modify IP addresses as it forwards packets. Another difference is that the Web Proxy client directs all requests for external Web services to the Web Proxy. Thus,in a Web Proxy scenario,the client directs the Web service request to 10.1.0.3,not to the actual address of the Web server. 0672317419 BonusCH 1/30/01 12:58 PM Page 7 Internet Security and Acceleration Server 7 Although the World Wide Web emphasizes HTTP,several other protocols are also in common use in Web communication. The Web Proxy service supports the following protocols: • HTTP • FTP • Gopher • Secure HTTP (HTTPS; HTTP with Secure Sockets Layer) Web Proxy Caching The Web Proxy service can enhance Web communication by maintaining a cache of recently or frequently retrieved objects. When a Web Proxy client requests an object,the proxy server examines its cache before sending a query to the Internet. If the object is in the local cache, ISA Server can return it to the user without requesting it from the Internet. Consider the clients and Web Proxy service shown in Figure 3. The following events might take place: 1. Web Proxy Client A requests the Web page www.pseudo-corp.com,directing the request to the Web Proxy server. 2. The Web Proxy requests www.pseudo-corp.com. 3. The Web Proxy receives the default HTML page from www.pseudo-corp.com along with any graphic,audio,or other objects that the page requires. 4. The Web Proxy forwards the objects to Client A. 5. If the objects are suitable for caching,the Web Proxy also stores them in its cache. 6. Web Proxy Client B requests the Web page www.psuedo-corp.com,directing the request to the Web Proxy server. 7. The Web Proxy examines its cache and,if the required objects are found,requests them from the cache. 8. The cache returns the objects to the Web Proxy server. 9. The Web Proxy service forwards the objects to Web Proxy Client B. After Client A’s request is fulfilled,subsequent requests for the same object can be satisfied locally. Clients receive the objects more quickly and there is no need to use WAN bandwidth to repeat the request. ISA Server supports scheduled caching,enabling an administrator to specify Web sites that are to be cached on a periodic basis. Frequently used Web sites can be cached during periods of light traffic so that they are available for local access. Forward and Reverse Caching Caching can be configured to operate in forward and reverse modes. Forward caching,illus- trated in Figure 3,stores external Web objects that are requested by internal users. 0672317419 BonusCH 1/30/01 12:58 PM Page 8 BONUSCHAPTER 8 1. Request to 2. Request to http://www.pseudo-corp.com http://www.pseudo-corp.com Web Proxy Client www.pseudo-corp.com 4. Response from 3. Response from http://www.pseudo-corp.com http://www.pseudo-corp.com 6. Request to Web Proxy 5. Objects returned from http://www.pseudo-corp.com Service http://www.pseudo-corp.com 7. Request for objects from Web Proxy Client http://www.pseudo-corp.com 9. cached objects from Web http://www.pseudo-corp.com Proxy Cache 8. cached objects from http://www.pseudo-corp.com FIGURE 3 Caching is managed by the Web Proxy service. Reverse caching,shown in Figure 4,is one of the techniques that has kept the World Wide Web from grinding to a halt. Reverse caching improves the efficiency and responsiveness of your Web servers when they provide objects to clients. It’s one of the most effective ways to improve Web server performance without endlessly upgrading Web server hardware or expand- ing Web server farms. Suppose that your organization operates a Web server that is publicly available to users of the Internet. Ordinarily,Web servers perform a lot of disk access. Every time a user requests an object from your Web server,the Web server must retrieve the object from disk. Think about your organization’s home page for a moment. In most cases,every user retrieves the same objects when they connect to your site; as a result every new user connection results in disk activity to retrieve the exact same data. Also,cached objects can be served to clients without requiring retrieval from disk. 0672317419 BonusCH 1/30/01 12:58 PM Page 9 Internet Security and Acceleration Server 9 Private Network www.pseudo-corp.com Web Proxy Internet Service Web Proxy Client Web Proxy Cache FIGURE 4 Reverse proxy caching. Limitations of Caching Caching is not a universal balm for Web performance ills because many Web objects are not suitable for caching. Suppose that you visit a Web site that presents a custom home page to each user,perhaps based on identity information stored in a cookie on the user’s computer. Or suppose that a Web page is generated as a result of a query. These dynamically generated pages are of value only to a single user and then only for a short period of time. Clearly, dynamically generated Web pages such as these won’t benefit from caching. When a Web server returns an object,it may specify a Time to Live for the object that declares the maxi- mum amount of time the object should be held in cache. Otherwise,a default TTL can be con- figured for the cache. Web Proxy Versus NAT Superficially,the Web Proxy service looks like NAT. If you look at packets on the wire,how- ever,significant differences are evident. Recall from Chapter 2,“TCP/IP Protocol Concepts,” that a connection is established and closed with two explicit dialogs: • A SYN/SYN-ACK/ACK dialog is used when the client negotiates a connection with a server. • When it is time to close the connection,the client and server each initiate a FIN/FIN ACK dialog that flushes any untransmitted data and closes the connection in an orderly manner. When a client communicates through a NAT,the connection setup and closing dialogs take place between the client and the outside server. The NAT translates the client address in its role as intermediary and may edit some internal packet details,but the client forms no TCP connec- tions with the NAT firewall. The standard connection setup and teardown dialogs mentioned 0672317419 BonusCH 1/30/01 12:58 PM Page 10 BONUSCHAPTER 10 above continue to apply. With the Web Proxy,however,the connection works differently. Specifically: • The client opens a connection with the Web Proxy server,which isthe Web server as far as the client is concerned. • The Web Proxy server opens a separate connection with the Web server. As far as the Web server is concerned,the Web Proxy service isthe client. If the client requests an object that is in the Web Proxy server’s cache,only the connection between the client and the Web Proxy server is required. That connection enables the Web Proxy to masquerade as the Web server and return the cached object to the client. As far as the client is concerned,it communicated with the Web server,but the Web server may not have any part in servicing the request. ISA Server Arrays Suppose that you manage the network of a large organization that generates too much traffic with external servers to be handled by a single ISA Server. You could set up multiple ISA Servers and configure groups of clients to use different ones,but that could be an administra- tive nightmare. To promote scaling,ISA servers can be configured in arraysas shown in Figure 5. The array is named ISA Array 1. The array consists of three ISA Servers,identified as ISAServer1A, ISAServer1B,and ISAServer1C. ISA Servers in an array are configured from the same array policy,although a few properties can be configured independently on array members. There are several advantages to ISA arrays: • Services in the ISA Servers operate. Firewall clients can access any ISA Server in an array. • Servers in an array are managed as a single entity and typically all servers are configured identically through the same properties. • Web Proxy servers in an array share a virtual cache. A Web Proxy server can retrieve objects that were cached by another server in the array. • Arrays improve fault tolerance since the array continues to function if an individual server fails. ISA Servers and arrays can be assigned names in DNS. If all servers in an array are given the same FQDN,round-robin addressing helps balance the load between ISA Server clients and the members of the array. In Figure 5,Host Address RRs map the FQDN isaarray1.pseudo to each of the servers in the array. See the section “Supporting Round Robin Addressing”in Chapter 3 for more information.
Description: